The only "duplicates" are that the 9.3.0s20021115 is naturally doing
pre-TCR SIG/NXT. I think that bind 9.3. should be tolerant of zones like
that. Or at least provide a more intelligent error message.

I built bind 9.3 on 205.150.200.254, and resigned by zones.
I noticed that I had to edit K*.key -> s/KEY/DNSKEY/.
dnssec-signer complains about the K*.private file, which is confusing.

{I noticed this because my laptop is a stealth secondary for my zone,
and it got upgraded to bind 9.3 sometime in the last month, and the
on-disk copy of the zone finally expired...}

I'm concerned that a pre-9.3.0 secondary may NOW complain that there
is CNAME + NSEC!